Thursday, July 12, 2007

Recently I set up a simple enough vpn with a gentoo/xenplanet hosted openvpn (howto) to secure my wifi traffic from public locations. The problem described here is quite trivial, but its solution wasn't a found in a quick search, hence this post!

Problem: The redirect-gateway configuration option makes all traffic route through the xenplanet box. iptables based masquerading was used to perform SNAT on traffic from openvpn clients however HTTPS was completely broken! The initial TCP connection would go though but as soon as a the SSL connection was initialised by the client the HTTPS server would immediately close the TCP connection.

Extensive Googlin' turned up very little related to openvpn and the resolution of such an issue, although it has been mentioned a number of times in mailing list entries such as here. I changed tack and searched for NAT issues related to tunnels with iptables, striking gold here with a description of a working NAT setup with a CIPE tunnel.

So to get client HTTPS traffic working with an openvpn and redirect-gateway instead of this: